vercel-labs · cramforce · Apr 13, 2026 · Apr 13, 2026 · Apr 16, 2026 · Apr 26, 2026
@@ -0,0 +1,31 @@
+# Changesets
+
+This repo uses [Changesets](https://github.com/changesets/changesets) to manage versions, generate changelogs, and (eventually) publish to npm.
+
+## Adding a changeset
+
+When you make a change that should land in a release, run:
+
+```bash
+pnpm changeset
+```
+
+You'll be prompted to:
+
+1. Pick the package to bump (`just-bash`).
+2. Choose the bump level — `patch` (bug fix), `minor` (feature, no break), `major` (breaking).
+3. Write a short summary that will appear in the CHANGELOG.
+
+This creates a `.changeset/<random-name>.md` file. Commit it with your PR.
+
+## Skipping a changeset
+
+Internal-only changes (CI, docs, repo housekeeping) don't need a changeset. If you skip one and a maintainer wants the change in a release, they can author one before the release PR.
+
+## Releasing
+
+Once any unreleased changesets land on `main`, the release workflow opens (or updates) a "chore: release" PR with bumped versions and the generated CHANGELOG. The action runs with `commitMode: github-api`, so the release commit is created via the GitHub REST API and auto-signed by GitHub — no GPG keys or bypass exceptions needed.
+
+Merging that PR triggers a publish to npm via the workflow's `publish: pnpm release` step. Authentication uses npm Trusted Publishers (OIDC) — no NPM_TOKEN secret is involved. Each published tarball includes a Sigstore-backed provenance attestation linking it back to the GitHub Actions run.
+
+The npm Trusted Publisher must also be configured before the first publish; see the comment block in `release.yml`.
@@ -0,0 +1,11 @@
+---
+"just-bash": patch
+---
+
+Fix awk lexer to honor POSIX statement continuation across newlines after `,`,
+`{`, `&&`, `||`, `?`, `:`, `do`, `else`, `if`, and `while`. Previously, a
+multi-line idiom like `printf "%s=%d\n", \n  $1, $2` (comma at end-of-line
+followed by indented args on the next line) failed with `Unexpected token:
+NEWLINE` because the lexer emitted a NEWLINE token unconditionally. The
+lexer now suppresses the NEWLINE when it immediately follows one of the
+continuation-allowing tokens, matching POSIX awk.
@@ -0,0 +1,19 @@
+{
+  "$schema": "https://unpkg.com/@changesets/config@3/schema.json",
+  "changelog": [
+    "@changesets/changelog-github",
+    { "repo": "vercel-labs/just-bash" }
+  ],
+  "commit": false,
+  "fixed": [],
+  "linked": [],
+  "access": "public",
+  "baseBranch": "main",
+  "updateInternalDependencies": "patch",
+  "ignore": [
+    "bash-agent-example",
+    "cjs-consumer-example",
+    "custom-command-example",
+    "website"
+  ]
+}
@@ -1 +1 @@
-vendor/cpython-emscripten/python.wasm filter=lfs diff=lfs merge=lfs -text
+packages/just-bash/vendor/cpython-emscripten/python.wasm filter=lfs diff=lfs merge=lfs -text
@@ -0,0 +1,9 @@
+# Default: changes anywhere need a review from a maintainer.
+* @cramforce
+
+# Release plumbing — the workflow is bound to npm Trusted Publisher by
+# filename, so a rename or behavioural change is a security-relevant edit.
+# Keep these locked to maintainers explicitly.
+/.github/workflows/release.yml @cramforce
+/.changeset/config.json        @cramforce
+/.github/CODEOWNERS            @cramforce
@@ -0,0 +1,91 @@
+name: Release
+
+# Opens / updates a "chore: release" PR when changesets are queued on main.
+# Uses changesets/action with `commitMode: github-api`, so commits go through
+# the GitHub REST API and are auto-signed by GitHub's signing key. This
+# satisfies the "Commits must have verified signatures" repository rule
+# without any GPG key management or bypass exceptions.
+#
+# Publishing to npm is enabled via the npm Trusted Publisher mechanism.
+# The workflow filename (`release.yml`) is bound to the publisher config on
+# npm.com — renaming or replacing this file will break publishing until the
+# npm-side setting is updated to match.
+#
+# See https://docs.npmjs.com/trusted-publishers for the publisher binding.
+
+on:
+  push:
+    branches: [main]
+
+concurrency: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          lfs: true
+
+      - uses: pnpm/action-setup@v4
+
+      # Node 24 (LTS Krypton) ships npm >= 11.12, which has Trusted Publisher
+      # OIDC authentication. Node 22's bundled npm 10.x can sign provenance
+      # attestations but cannot use OIDC tokens to authenticate the publish
+      # itself, leading to a confusing 404 after provenance signing succeeds.
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "24"
+          cache: "pnpm"
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      # Re-run the full validation gate on the merge commit before doing
+      # anything release-related. Branch protection covers the PR's HEAD,
+      # but flaky tests, dep drift, or admin merges can let a broken commit
+      # land on main. Anything publish-worthy must pass these checks first.
+      - name: Lint
+        run: pnpm lint
+
+      - name: Knip
+        run: pnpm knip
+
+      - name: Typecheck
+        run: pnpm typecheck
+
+      - name: Build
+        run: pnpm --filter './packages/*' build
+
+      - name: Check worker sync
+        run: pnpm check:worker-sync
+
+      - name: Unit tests
+        run: pnpm test:unit
+
+      - name: Comparison tests
+        run: pnpm test:comparison
+
+      - name: WASM tests
+        run: pnpm test:wasm
+
+      - name: Bundle smoke test
+        run: pnpm test:dist
+
+      - name: Create release PR or publish
+        uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1.7.0
+        with:
+          version: pnpm version-packages
+          publish: pnpm release
+          commit: "chore: release"
+          title: "chore: release"
+          commitMode: github-api
+        env:
+          NPM_CONFIG_PROVENANCE: "true"
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -23,24 +23,14 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
-      - name: Typecheck
+      - name: Typecheck packages
         run: pnpm typecheck
 
       - name: Build
         run: pnpm build
 
-      - name: Install example dependencies
-        run: pnpm install --frozen-lockfile
-        working-directory: examples/bash-agent
-
-      - name: Typecheck example
-        run: pnpm typecheck
-        working-directory: examples/bash-agent
-
-      - name: Install CJS example dependencies
-        run: pnpm install --no-frozen-lockfile
-        working-directory: examples/cjs-consumer
+      - name: Typecheck bash-agent example
+        run: pnpm --filter bash-agent-example typecheck
 
-      - name: Typecheck CJS example
-        run: npx tsc --noEmit
-        working-directory: examples/cjs-consumer
+      - name: Typecheck cjs-consumer example
+        run: pnpm --filter cjs-consumer-example typecheck
@@ -5,7 +5,6 @@ package-lock.json
 .idea
 .env
 .env.*
-dist
 /coverage
 debug-*.ts
 test-*.ts
@@ -16,7 +15,5 @@ todo/
 *.parsed.json
 .pnpm-store
 .docs-test-tmp/
-src/commands/python3/worker.js
-src/commands/js-exec/worker.js
 fuzz-*.log
 .claude/settings.local.json
@@ -0,0 +1,7 @@
+# The @executor-js/* packages are recent prereleases that don't satisfy the
+# default `minimum-release-age` constraint some developers have set globally.
+# Exempt them so `pnpm install` works without flags.
+minimum-release-age-exclude[]=@executor-js/sdk
+minimum-release-age-exclude[]=@executor-js/plugin-graphql
+minimum-release-age-exclude[]=@executor-js/plugin-openapi
+minimum-release-age-exclude[]=@executor-js/plugin-mcp
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		vendor/cpython-emscripten/python.wasm filter=lfs diff=lfs merge=lfs -text
		packages/just-bash/vendor/cpython-emscripten/python.wasm filter=lfs diff=lfs merge=lfs -text